Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The penalties would undoubtedly been much higher if they didn't disclose it. Of course, perhaps it never would have been discovered, but whistleblower protections/incentives and high enough penalties for covering up issues can set the right balance.

It's similar to just about any other violation, really: if I injure someone accidentally—even through negligence—I'm going to get a much more lenient punishment if I don't try to cover it up or run away from it.



Who in their right mind is going whistle blow and risk their entire career over a security flaw that was detected internally, found to be unutilized, and was fixed in a timely fashion?

The fact that such a case even has reporting requirements at all seems nuts to me.


Good - then the person who sees that they didn’t report it can whistleblow on that and get a nice paycheck.

See how that works out for the person who didn’t report it.


I am shocked to see the "let's make writing vulnerable code illegal" take be so popular on HN. If you have written any meaningful amount of code, you have written vulnerable code.


Writing vulnerable code is not illegal, negligence is.


Every case I've seen in my career where this has happened has not been "negligence" but developers not realizing there's some obscure logging middleware or something.


Devil's advocate: my bridge fell down because I didn't know the concrete didn't meet spec still seem like negligence?


Cool story I guess, but that’s not related to anything I said.


An employee who left for another job or simply retired and who feels this was wrong. Plenty of lads in Meta earn enough to buy a house and have some investments that there is little leverage over them to ruin their careers.


SWE in security here. Why the heck would I "whistleblow" in a scenario where a vulnerability was internally found, unused, reported to legal, and fixed? That is part of any healthy SDLC.

The EU is implying that it is illegal to accidentally write vulnerable code. Pure insanity, nearly every software company would go out of business overnight if this was a stance they actually enforced.


“nearly every software company would go out of business overnight if this was a stance they actually enforced”

For the better, if your attitude is the “healthy SDLC”.


I'm sure we've literally never written a vulnerable line of code in our lives, right?

Security reviews are part of a healthy SDLC. You catch vulnerabilities as part of security reviews as they would be totally unnecessary if people simply wrote perfect code to begin with.


Ideally because the law requires reporting vulnerabilities, and includes criminal penalties for those who knowingly hide vulnerabilities.


When I worked in tech, we reported the vulnerabilities internally and pass them off to legal. Taking that to the government was legal's job.

I am not gonna go out of my way to "whistleblow on vulnerabilities to the EU" after I have done my job and reported everything to legal.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: